HealthSafe ISMS - Context of the Organisation and Interested Parties - (PENDING APPROVAL)
(ISO/IEC 27001:2022 – Clauses 4.1 & 4.2)
1. Purpose
The purpose of this document is to define and document the internal and external issues relevant to HealthSafe’s Information Security Management System (ISMS), as well as the interested parties and their requirements. This ensures that the ISMS is aligned with the organisation’s strategic direction and is capable of achieving its intended outcomes.
2. Internal Context of the Organisation (Clause 4.1)
HealthSafe has identified the following internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of the ISMS:
2.1 Organisational Structure and Governance
HealthSafe operates with a defined organisational structure consisting of leadership, operational, and support functions. Key roles include the Chief Executive Officer (CEO), Information Security leadership (CISO), Customer Success, Sales, and Product/Engineering functions. Certain technical and operational functions, including software development and marketing, are supported through outsourced partners. Governance is maintained through defined reporting lines, management oversight, and documented policies.
2.2 Roles and Responsibilities
Roles and responsibilities for information security are defined and assigned across the organisation. Accountability for information security is established at leadership level, with operational responsibilities distributed across relevant functions. Third-party providers are also assigned responsibilities through contractual agreements and supplier management processes.
2.3 Business Processes
HealthSafe delivers services that involve the processing, storage, and transmission of customer data. Core business processes include customer onboarding, service delivery, platform operation, and customer support. These processes require the protection of confidentiality, integrity, and availability of information assets.
2.4 Technological Environment
HealthSafe operates a cloud-based infrastructure primarily hosted on Amazon Web Services (AWS). The environment includes web applications, databases, APIs, and supporting infrastructure components. Security controls implemented within this environment include firewalls, intrusion detection mechanisms, encryption, monitoring, and access control systems.
2.5 Information Security Policies and Procedures
HealthSafe maintains a comprehensive suite of ISMS policies and procedures that define the organisation’s approach to managing information security. These include, but are not limited to, access control, network security, incident management, risk management, supplier management, and business continuity. These documents provide the framework for implementing and maintaining effective security controls.
2.6 Use of Third Parties and Outsourcing
HealthSafe engages third-party providers to support specific business and technical functions, including software development and marketing services. These relationships are governed through contractual agreements, including security requirements, and are subject to supplier risk management and oversight processes.
2.7 Resources and Competence
HealthSafe relies on a combination of internal personnel and external partners to deliver its services. Competence requirements are defined through role responsibilities, and personnel are supported through induction and training processes. Resource availability and capability are considered in the implementation and operation of the ISMS.
2.8 Relationship to ISMS Outcomes
The internal issues identified above influence the design, implementation, and continual improvement of the ISMS. They determine the organisation’s risk environment, control requirements, resource needs, and governance structure. These internal factors are reviewed regularly to ensure the ISMS remains aligned with HealthSafe's purpose, strategic direction, and intended outcomes.
3. External Context of the Organisation (Clause 4.1)
HealthSafe has identified the following external issues relevant to the ISMS:
-
Applicable legal, regulatory, and contractual requirements relating to data protection and information security
-
Industry standards and best practices, including ISO/IEC 27001:2022
-
Threat landscape, including cybersecurity risks such as malware, intrusion attempts, and denial-of-service attacks
-
Dependence on third-party service providers, including cloud service providers (e.g., AWS)
-
Expectations of clients and stakeholders regarding the protection of sensitive information
These external factors are monitored and reviewed as part of the ISMS and risk management processes.
4. Interested Parties and Their Requirements (Clause 4.2)
HealthSafe have identified the interested parties relevant to the Information Security Management System (ISMS), along with their needs, expectations, and applicable information security requirements. These requirements influence the design, implementation, and continual improvement of the ISMS.
4.2.1 Identified Interested Parties and Their Requirements
| Interested Party | Relevant Requirements/Expectations | How the ISMS Addresses these Requirements |
|---|---|---|
| Clients |
Protection of personal and confidential data, service availability, contractual compliance, secure handling of information |
Implemented controls for confidentiality, integrity, and availability; contractual security requirements integrated into risk treatment and policies |
| Employees |
Secure systems, clear policies, appropriate access, protection of personal information |
Access control procedures, onboarding/offboarding processes, security awareness training, HR security controls |
| Regulatory Authorities | Compliance with applicable laws and regulations (e.g., privacy, cybersecurity, data retention) | Legal and regulatory requirements tracked; compliance obligations integrated into risk assessment and SoA |
| Suppliers and Partners | Secure data exchange, defined responsibilities, adherence to contractual and security requirements | Supplier evaluation and monitoring; security clauses in contracts; third‑party risk management |
| Certification Body | Compliance with ISO/IEC 27001:2022 requirements | ISMS documentation, internal audits, management reviews, continual improvement |
| Partners | Secure collaboration, protection of shared information | Information exchange procedures, access restrictions, confidentiality agreements |
| Executive Management | Assurance that information security risks are managed, alignment with business objectives | ISMS governance, reporting, KPIs, risk management |
| Shareholders | Protection of business value, operational continuity, risk reduction | Business continuity planning, risk treatment, incident management |
4.2.2 Determination of Requirements Addressed by the ISMS
The organization has evaluated the needs and expectations of each interested party and determined which of these constitute binding requirements. Binding requirements include:
- Legal and regulatory obligations
- Contractual requirements with clients, suppliers, and partners
- Internal policies and governance requirements
- Security requirements for outsourced and cloud services
- Requirements for protecting customer and organizational information
- Requirements for maintaining service availability and continuity
These requirements are incorporated into the ISMS through:
- Policies and procedures
- Risk assessment and treatment
- Statement of Applicability
- Supplier management
- Incident management
- Business continuity planning
5. Review and Maintenance
This section is reviewed:
- Annually during management review
- When significant changes occur to the organization, its context, or its stakeholders
- When new legal, regulatory, or contractual requirements arise
Updates are documented and approved through the ISMS governance process.
Document Owner: Eparama Tuibenau - Head of Customer Success
Approved By: Gideon Burke - CEO (PENDING APPROVAL)
Version: 1.0
Date: 19 March 2026